Buffer Overflow Protection

And a neo[phyte such as myself quickly realised that it is trival to name a process anything an attack would like.

 

Actually I would and have agreed and stated many times the value of PG's value with regards to process modification/termination. It's the exe monitoring (pro-active defense as Rich called it) that I'm not sold on.

Yes this was brought of already. The whole "protection from proccesses that run without user intervention." thing that people mention in a vague way.

So the question is if these problems can be countered by these steps, how much additional protection does exe monitoring give on top of that?

 

"So the question is if these problems can be countered by these steps, how much additional protection does exe monitoring give on top of that?"

From my experiences, a very small amount (possibly even microscopic) of incremental protection, assuming one has top-rated AV/AT, which I am more than happy to pay for (in both time and monetary costs), simply because the consequences of a breech would far out weigh any of my up-front costs. I am basically talking about a few hours of learning time (if that much) and $29. Totally insignificant. It basically is the time and money spent on one evening dinner. Insurance is like that. I pay far more for household fire insurance over the last 30 years and never had a fire.

Would I recommend this solution to anyone who is has privacy issues on their computer. Absolutely yes. If they are willing to spend $29 and a couple of hours of learning time in exchange for a higher degree of security, why would I dissuade them? They have an opportunity to try it out for free. It's up to them to decide whether or not "it is worth it". It's not up to me.

Rich

 

That is why layered protection is best. There are all kinds of ways to "beat the security system". The idea is to make it as difficult as possible for the intruder while minimizing the costs.


Rich

 

You and I must be reading very different forums then. I see certain people running around these forums and others, telling everyone how exe protection (proactive defense or whatever buzzword) is critical and needed and that scanners alone are not enough, unless it's KAV and even then there are FPs...

About how their poor clueless friends were infected and that with exe monitoring their problems are all solved etc..

Yes, and I have acknowledged that a lot of times, you can see it in my posts. My problem is with exe protection which is singled out as PG's main strength, because it is so "proactive" and "it acts early in the execution stream" and all other technobabble, without stopping to think what that really means.

I think there are 2 issues being discussed here.

1) The value of IPS versus scanners as a whole
2) exe monitoring itself as a specific behaviourial alert.

Most behaviour monitored is far more specific then the alert that x.exe is running and hence more useful to the user . An alert that a proccess is trying to change my hosts file or to a lesser extent it is trying to install a hook is far more informative and far greater likelihood of being malware than a generic, exe is running before I clicked on install 1 sec ago.

Still my stand is that use of IPS is placing the burden squarely on the user, and not everyone is ready for them yet. They do increase security but at a much higher cost than the rare FPs that scanners find.

Exe monitoring has a behaviour alert I think is probably one of the least useful to monitor for the less skilled and probably extracts a cost that is higher than all other behaviour montiored because of how often it occurs.

Again we are in total agreement here.

 

I love to use buzz words like "layered security too" , but if a security measure can be so easily beaten, that calls into question if said security measure is really effective as a layer isn't it?

~snip~ rename a file, but could you modify a known malware to evade KAV ?

 

Not at all. Different companies and products have different levels of knowledge and expertise. Often they will overlap (like a ven diagram), but each product brings its own strengths. If it was possible I would run two AVs side-by-side, one that is very strong in heuristics and the other in signatures/updates. (e.g. Nod32 and KAV).

By overlapping products, a person is able to create a layered filtering effect which makes it more and more difficult for malware to penetrate. My own strategy is to use products that trap malware as early as possible in the execution stream, hopefully before they even begin to execute. It is a simple strategy and one that I do not mind if there is overlap. Layering filters is fine with me.

I should also add that I use Image for DOS (Terabyte Unlimited) to keep a current image of my disk on an external HD, in case something does get through or if there is some doubt.

I would very much like to hear your strategy, particularly in relation to the topic at hand. What do you use and what do you recommend to the average person?

Rich

 

Which begs the question why the heck you would run it if you knew it was malicious.

I also made the point that when the last time this happened, which was really malicious.

Of course not, I'm clueless.

FYI I have experimented with these types of products for a long while. On some setups I've gone months with merely a firewall + exe monitoring + other IDS systems. I ran on purpose without any real time scanner to try to isolate the value of such monitoring.

Not once, has exe monitoring saved my hide. In the thread in the PG forum, I notice that the question of when PG has saved your computer has being met with vague answers and no positive answers.














If so, exactly what type of alerts are you talking about that are so difficult to handle? Can you provide me with a specific example and circumstance? Thanks.


Rich[/QUOTE]

 

CN232,

Just as a frame of reference for me, if someone approached you seeking firm recommendations, what would you specifically tell them? What specific actions should they take? It could range from specific products that you would recommend they install (if any, none is a viable answer) and what specific system configuration changes that would you suggest?

Just wondering....

Blue

 

My experiences are entirely the opposite. That is why PG has a free trial so that people can decide for themselves.

There was at least one very important event which PG stopped dead cold in its tracks and I am sure glad I had PG. There have been many other times when PG has stopped execution. Whether or not it was malicious, I have no idea. But I am glad I had the opportunity to stop it. I want to decide what runs on my machine and what doesn't - and when it runs. Lots of people that I know have the same desire. My friend, who just installed it, loves it. He feels like he is control again - and doesn't mind Googling once a year if that is what it takes.

It seems that you don't want people to try it out. Is there a reason?

Rich

 

Rich, I'm not sure if you are trying to be obtuse on purpose.

The point is in this case, either AV brings something to the table. If exe monitoring can be so easily bypassed (change process name) it makes little sense to use it in addition to other layers.

If NOD32 was 100% useless or even 99% useless, I find it hard to be able to argue that it's a useful part of a layered defense.

That would be a long story and one you basically know anyway. I don't claim any special insights, being clueless.

The main thing though is I don't advocate a one size fit all approach. Certainly the average person has no need and no reason to run the same security setup as me.

~snip~

I would advise using HIPS/behaviour monmitoring tools to a minimum, unless the person has shown a motivation and interest. For example, I would certainly consider recommending RD and similar tools , since the concept of preventing processes from starting is fairly easy to grasp and has most bang for buck.

I would certainly advise heavy use of scanners as opposed to HIPS/IDS because it places less of a burden on the user to react correctly.

The best way to keep malware off your computer (the proactive approach) I think is still with scanners, good setups and common sense.

I have already hammered in the point that exe monitoring cannot protect you from software you chose to install yourself (except for maybe a few experts maybe).

That leaves the whole processes starting without user intervention bit, where the real proactive approach is to harden your system so that you try to avoid the situtation where you need to rely on exe monitoring.

I submit that these instances are rare anyway (the same reason why Buffer overuns are rare) if you are careful and practice safehex.

Besides if you don't even have this basic knowledge and keep clicking on yes to everythng, I'm wondering if exe monitoring would save you anyway.

~snip~ continue to use exe monitoring to gain the tinyest percentage of protection , that is fine with me and I do the same.

 

Hi CN232,

It is very easy to criticize. Some people make careers out of it.

I am advocating that:

1) An AV/AT scanner is the first line of defense. Good ones (such as Kaspersky) will catch 99% of what needs to be caught.

2) However, 99% is just not good enough when it comes to my financial affairs. FDIC covers 100% of my money in my bank. My fire insurance covers 100% if my home. So to get better than 99%, I introduce added layers of protection. The next layer being WormGuard and ProcessGuard. The concept is very simple. If someone really has something important to protect, the extra few dollars and time is truly miniscule. But you seem to think it is HUGE! Why?

3) Beyond this, I also have RegDefend to protect me in the off-chance that I did make a mistake on my top-two layers. Even a lower probability but again it is just a few dollars. I have decided to spend the money. Any problem with people such as myself making that decision when it comes to our security and privacy?

I would still like to know specific recommendations. Again, it is extremely easy to criticize solutions that are not 100% (there are always holes), it is far more difficult to present one's own solutions that offer practical value. Telling people what not to do generally yields nothing.

Rich

 

I submit it was almost 100% harmless. But that's the difference between you and me I guess, I would investigae. I don't assume everything that some IDS tells me is malicious. If something is not malicious that cause a popup, it's a waste of time and energy in my book for me to investigate (goes beyond googling)

I submit you must have highly unusual friends. Most people I know that want to use computers to do a certain task. They are not interested in the guts of the system or what is running. They don't care what runs as long as it doesn't prevent them from doing what they aim to do (surfing, email whatever).

It's hard enough to get them to use scanners (because it slows them down according to them), to get them to use a product that requires them to learn about the windows system processes? You must be kidding.

Because I hate PG of course. JK. No, because in my experience it's going to be a waste of their time. I could probably scare them into using it, but it's highly doubt it would be used correctly and the gains would be minimal compared to showing them something really useful (firefox, hardening of windows etc).

All this would be straining their abilities and interest already.

PG and similar tools would come after the basics are done, if at all.

 

cluelessnewbie, aka CN232, etc., I've edited out the negative, and sarcastic comments towards others in several of your posts. I've also removed a post that was nothing more than a condescending comment towards another member.

I'll ask you to stay with the topic being discussed and refrain from further personal remarks. Sarcasm, negatism towards other's views and opinions will not be allowed. We've been down this road before....agree to disagree and respect other's points of views, opinions, and choice of software.

 

You must be kidding. You know nothing about the event (which has been documented by other users) and yet you know it was harmless. 'nuf said.

Now you are judging my friends and putting them on the fringe because you disagree with them.

Totally opposite my experiences. The people I know are very aware of security and privacy issues on the Internet and are more than happy to learn how to use products that afford them protection.

Fine. I think people appreciate that you are trying to save them time. Maybe you can tell them which products they should adopt that will save them time.

Fine, I would like to hear your recommendations for hardening windows, etc. that you would recommend for the average user. Not general concepts, but specific recommendations. When my friend asks me for advice, I generally don't send them home with with homework assignment. I am very clear with my advice. I would hope that you would share with us your advice on what to do rather on what not to do.

What basics are you advocating? Specfics? It seems like you really like MS Anti-Spyware. Is this high on your list?

Rich

 

Blue, I must admit I'm surprised at your question.

Let me tell you first I would NOT tell them.

I would resist the natural tempation to tell them what cool security tools I run myself and what a perfect setup I have. I would instead ask them a series of questions.

As I mentioned to Rich, it would depend on many factors. At the very least I would find out what type of activities they carry out, their computer specs, How willing they are to deal with prompts, how much is their budget,the value of the data on their computer etc.

For the typical user, I would expect that exe monitoring is of almost no value.

Without such information, your questions is meaningless , wouldn't you agree?
Of course, I could easily just turn off my brain and tell them what I run, but that would be useless to them.

 

And you count it as one of the times PG saved your life. So you know it was harmful?

Not before you tell me more about your friends.

LOL, I would assume with someone of your experience, it wouldnt be necessary to go into specifics.

Honestly, do you expect me to post everything I know about security hardening on this one post? It would take a while. I expect the same if I asked you about all the things you know about security.

Rich, I notice you snipped out the parts where I mention that what specific recommendation I make depends on lots of factors, and instead you insist on specifics without supplying these factors.

Somehow I get the sense you just want to attack me , no matter what I recommend.

MSAS I think is good if you don't want to pay, it's has a fairly comprehensive IDS system. And the scanner is pretty highly rated. But it doesn't run on win98, (counterspy then would be a replacment).

Nothing earthshaking, I'm afraid, everyone knows this. But I can't give more without other specifics.

Happy now?

 

O.K. I will give you a couple of scenarios:

1) Heavy usage with online financial institutions.
2) Lots of private information.
3) New computer (purchased in the last month)
4) Willing to spend up to $200 in security software.
5) Willing to spend the time necessary to learn how to use the software, because of the security requirements.
6) Browses the net for information relating to personal and business questions. Mostly uses Google.

Second scenario:

1) New computer (about 1.5 years old)
2) Uses computer to access online banking, online shopping.
3) Lots of personal data relating to work.
4) Will to spend up to $150 for security software.
5) Willing to spend the time necessary to learn the software.
6) Browses the net for information relating to work and personal hobbies. Mostly uses google.

If you need more information, I would be happy to supply these scenarios. They are both real.
Rich

 

Hi CN232,

The reason it would be welcome to understand all of your recommendations (e.g. Windows hardening) is because it would then be possible for other users who are looking for solutions to judge whether your approach is more or less applicable to their situation. I have tried "windows hardening" approaches and have found them to be completely unmaintainable and far more difficult to administer than simply putting in a strong layered protection shield. Even if I value my time at $15/hour, the time required for some of the solutions that you are suggesting would far exceed some of the solutions that I am suggesting and probably with about equal results.

Therefore, it would be very helpful for you to actually itemize your suggestions so that I comparison can be made.

Rich

 

6) might be expanded to include info on whether he does IM, P2P, online gaming,

Might include info on computer specs, OS,RAM, proccessor, on LAN or standalone, broadband/dialup etc. Is the computer shared?

Perhaps a new thread? It would be fun to see what different people turn up with. Personally I think your scenario is basicly one that fits the typical Wilders member (both scenarios are you) , given 4) and 5)

If so, this is a situation that is pretty much well discussed. Might be more interesting if we changed 4) and 5)

I'll give a more considered answer later, but I would sugguest that in scenario
1) Antiphishing and antikeylogging should be a priority (I believe you know the standard apps as well as I do Rich), with the former being less important the more knowledgable the user is.

 

Hi CN232,

Both system are well equipped (since they are both fairly new) with 512K RAM and 2+ Ghz processors. Scenario 1 uses DSL, Scenario 2 uses dial-up. Neither are on a LAN. Neither does IM, P2P or online gaming.

I am sure if we started a new thread, we would get 50 reponses with 50 different recommended architectures. What I am primarily interested in is what you would recommend, so that it is possible to compare solutions.

Thanks.

Rich

 

Without going into specifics, it's hard to see why you think it's hard to maintain, given that most tweaks are one off shots anyway. Of course, if you go around disabling every service (one way of hardening the OS) without consideration of how the computer is going to be used, it's going to be a big problem.

That's why one size fits all solutions don't exist.

How you value your time is something I cannot comment on of course. But I submit given your evident interest in security, the payoff would be pretty big anyway.

Also remember, buying a software solution does not mean you don't have to spend time learning. For exe monitoring programs that you are a fan of, learning how to handle them in most cases would exceed any hardening measures.

And of course, least you misunderstand, I'm not against "layering", but hardening the OS is the first step you should always take.





Therefore, it would be very helpful for you to actually itemize your suggestions so that I comparison can be made.

Rich[/QUOTE]

 

And what is wrong with that? Isn't the idea of this forum to share ideas? Or as I mentioned is this just a disguised attempt to attack my recommendations?

If you want me as a personal consultant , you will have to pay Rich
Seriously, if this is going to be a one on one discussion (and it seems to be so for the last few posts), their are other venues for that.

 

Hi CN232,

I understand entirely.

Rich

 

I guess I take this as such an implied starting point, it didn't occur for me to be explicit on this point. Of course you have to know a specific users objectives, constraints, and preferences to obtain a good fit. For the discussion at hand, you could provide a strawman scenario and build off that.

Sounds like all the appropriate things I try to weigh when dispensing advice - basically the same as myself I'd guess.

I'm in the undecided camp here, but for the genuinely skittish user, I'd agree, probably not the best expenditure of time and/or money

I agree that you need the information, although for the sake of discussion a scenario could be posited and the discussion could be pursued from there. I agree that playing back your own setup as the only objective configuration worthy of consideration is not a good approach, but as a starting point for discussion, it is often an operationally convenient beginning to the real discussion.

To solidify this discussion, let's take myself - 2.8 GHz P4 with 1 GB RAM, ~ 400 GB HD space. Primary uses are:

• Internet surfing for news and technical information.
• Participation in limited number of mailing lists
• Download of free technical computing applications from "unproven" non-commercial sites - not complicated stuff - just noncommercial software from private postings. Obviously potentially infected.
• Fair amount of on-line purchasing from secure sites only
• On-line banking
• On-line administration of 401k pension funds (all $12 of it )
• On-line receipt of technical manuscripts for peer review and submission of those reviews
• Personal/professional e-mail
• What I don't do at this time - no instant messaging

You can see what I came up with, if interested, here. It's a work in progress and a lot of what is shown are legacy applications. What I consider appropriate for a typical user is a router, good AV, and a good AT for realtime coverage. An antispyware application is useful for infrequent cleanup to me, but I choose my AT/AV combo such that this is the case. The proactive applications are for someone who desires to build an additional protective layer into the mix. A similar comment applies to the need of a software firewall, although I view this yet another step lower in priority needs.

Blue